Previously Flow sessions were stored like any other cache. Thus they were deleted whenever the cache was flushed. This lead to users being logged out after deployments if not taken special care.
From now on sessions are stored in a persistent cache by default so that authentication status and other sessions related information is not lost when flushing caches.
This is a breaking change because session data is stored using PHPs serialize function that could break if the underlying object implementation changed.

Currently, a type string of DateTimeImmutable will be parsed as DateTime. This, for example, leads to any entity properties annotated as @var DateTimeImmutable to be hydrated into a DateTime class instead.

Note that this is a hotfix at most, because the real issue is, that the regex does not check for a type ending character, like whitespace, line end or another non-word character. Therefore, it eagerly parses DateTimeImmutable by matching the DateTime prefix and taking that as the parsed type, which is wrong.

The format for converting from JSON encoded DateTime was wrong. The format doesn’t use the \T separator, but a whitespace and as it seems, v is not a valid format specifier for DateTime::createFromFormat while it is for date().

In multiple permutations, we tried to fix problems with cache identifier
uniqueness in cache backends that are shared like apcu or memcache.
In earlier days it included the PHP_SAPI and then in more recent times
the context and root path. With the refactoring of caches, these two
became the hardcoded applicationIdentifier which can be used by
any backend to add more specificity to cache identifiers.

It turns out that the root path doesn’t work well for some environments
and can result in bugs when used with eg. the PdoBackend and a
deployment that changes the root path (typical Surf or Deployer).

The only backward compatible way to fix this was to make the
applicationIdentifier configurable with a default that matches the
previously hardcoded values. That way nothing changes in existing
installations but if the bug appears it can be easily fixed.

When a site (or Flow Application) is locked because it is currently being parsed, a note that the service is not available will be shown. The appearance and contents of this message can now be customized using the new environment variable FLOW_LOCKHOLDINGPAG`E that overrides the path (relative to the `FLOW_PATH_PACKAGES) to the page shown when the site is locked.

The PackageManager::createPackage method now can create
packages into a possibly existing DistributionPackages
directory “automagically”, which then triggers a composer update.
While this is a good idea to push the concept of distribution packages,
it also breaks tests that clearly do not want to run composer
update. This can be fixed by providing a defined package path.

When no class schema can be found in loadMetaDataForClass, a Doctrine
MappingException is now thrown. This makes our code work nicely with the
change in https://github.com/doctrine/doctrine2/pull/7471/ that otherwise
leads to errors like this as of ORM 2.6.3:

```
FlowAnnotationDriver.php: No class schema found for “some-non-mapped-class”.

After switching from FileSystemSymlinkTarget to FileSystemTarget
the symlinks are still present in the targetPath and therefore Flow
tries to copy the stream content in the symlink (original file, same
stream) which results in a 0-byte file.

This fixes the instantiation and configuration of ThrowableStorage
implementations and also fixes stack traces and HTTP request information
in stored throwables.

This change is not breaking but as pre notice that in the next major the
ThrowableStorageInterface will have an additional method that is currently
commented and already used to instantiate throwable storages.
If you implement the interface you must already implement that additional
method despite it being not part of the interface. As the object configuration
for throwable storage doesn’t work without this change there cannot be a
working alternative implementation yet, so this shouldn’t break any project.

If the composer file has a local distribution folder identified by type path and
a local folder reference in the url new packages are created in the
distributionFolder and are required via composer require … @dev.

This contains a break up of the cross-dependency between
AuthenticationProviderManager and Security context.

First, a new TokenAndProviderFactory (with an interface) is
introduced to serve both the constructed tokens and providers
from the configuration. Additionally the session persistent
data was moved from the Context to the new SessionDataContainer
(marked internal). This makes the context a simple singleton to
the outside, avoiding duplication (security context injected
before the session was started would create a duplicate instance
without the session data (most notably some SQL security could
have that).

This change adds support for converting values that are received from serializing a DateTimeInterface object with json_serialize.
If the source array contains a property ‘timezone_type’ the source date string is assumed to be in the internal serialization format, which is “Y-m-d\TH:i:s.v” without timezone information, since the timezone is provided in the additional ‘timezone’ property.

Bugfix because it is possible to configure a maxlength in the form framework, but this leads to an exception. I didn’t realize there was no maxlength when I put it in form framework and the reviewers didn’t notice either, so now it is required to have it in the viewhelper.

maxlength in textarea is possible since html5 and is supported by all major browsers including IE since 10 ;)

Fixes an issue where running doctrine:migrationgenerate would never move the migration-file to the selected package. After doctrine:migrationgenerate has generated a migration, it asks whether the migration-file should be moved to a specific package. No matter what you choose, it would assume you chose “Don’t Move”.

Also fixes two related issues in the ConsoleOutput’s select method:
- Wrong typehint on $default, breaking the default answer functionality
- Wrong phpdoc typehint on $attempts, as it is an integer, not a boolean.

I added a testcase and modified a couple of other testcases for the ConsoleOutput as well.

In PropertyMapper checks if the $targetType is nullable and the given source, too. If this is true, return null. Also, in ReflectionService, the annotated type is properly expanded when annotated with ‘|null' or 'null|’.

typo3fluid/fluid expects specific exceptions to be thrown to implement
the feature of optional sections and partials. Neos.FluidAdaptor has to
throw these exceptions or derivates of them. Otherwise the exceptions won’t
be catched and displayed to the user.

typo3fluid/fluid expects specific exceptions to be thrown to implement
the feature of optional sections and partials. Neos.FluidAdaptor has to
throw these exceptions or derivates of them. Otherwise the exceptions won’t
be catched and displayed to the user.

fixes: #1347

What I did

I implemented solution 1 from the issue

How I did it

I made the exceptions shipped with FluidAdaptor inherit from the expected ones from typo3fluid/fluid